Bouncer (previously Tuersteher Light)

Does anyone else get entries in their AppGuard Activity Report of AG blocking Bouncer from writing to the registry? I do occasionally, and I wonder if it is causing any problems for Bouncer.

 

On installation Bouncer registers the tray application in registry, every application installing something on your machines will write to registry somehow. Be it a service, driver or just app: this is Windows. I guess, AppGuard also writes to registry. So no problem here.

I asked developer, maybe you meant that: While running the driver, bouncer uses some registry signalling to tell that something happened (start, stop driver, detection of executable). this is technique to do signalling without using dedicated real-mode application directly connecting to driver. So this is why bouncer driver dont need additional service or other tool to function. personally i think this is a smart idea and makes bouncer what it is in contrast to for example appguard and all the other whitelisting apps that heavily need user-mode application or service application to work.

You can block registry calls, driver will *still* work properly (the only drawback: real time notify wont work => so no real time feedback, but you still can check log file by hand, so everything is fine and most important: Bouncer still protects).

Why blocking bouncer components?! if you dont trust bouncer, dont use it. If you trust, and want to use, ensure that bouncer can make a good job (giv what it needs) and put no upstacles in the way.

 

You're welcome. I had a feeling that was likely what happened since it happened to me a few times a while back. But it hasn't happened since it put the Exclude rule into CCleaner.

I don't have any experience with AppGuard personally. Is it possible to create of custom rule within AppGuard that would allow Bouncer to do what it needs to do? Hopefully it's possible to allow a rule like that so that you don't keep having it blocked or filling up your AG logs.

Aside from that, do Bouncer and AppGuard seem to co-exist nicely?

 

I don't use the Bouncer Admin tool so all i'm running is the driver. I do all the policy editing with notepad, or with notepad ++. AppGuard is not a whitelisting application. It's a policy based AE, and works like Bouncer in some regards. It does not require any user-mode application to protect the user. The service, and GUI are only there to assist the user in making changes to the existing policy. AG uses a KMD, and all mitigations are done directly in the kernel. If the service is terminated AG will continue to enforce it's existing policy. I will send BRN an email, and inform them functionality for registry exceptions are needed. I think it's something that should have been added a long time ago.

Edited 10/27 @ 2:05 pm

 

There's currently no way for the user to make registry exceptions for AG. They have coexisted nicely together up until this latest build. I have been having problems with the latest build of Bouncer. My Browser (firefox) often freezes, and my computer occasionally does as well. I just noticed the following blocked entry below in Bouncer's log around the time my browser, and computer began to freeze. There are no time stamps for the log entries so it makes it difficult to troubleshoot potential conflicts.

C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json

Here are all the blocked events around the time my browser, and computer froze. I get these same blocked events all the time. I could make an exception for the one I just listed above, and see if that resolves the issue.

*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe > a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
*** excubits.com beta demo ***: C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json > 94166a4d985dcdf99f46c0acb8647005fc2d6f201e89c0c9697d8761e961d2ee
*** excubits.com beta demo ***: C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json > 3b297528c89b3ca2574a28dbd773d5140e51a81d95844dcdd109ba493ecc9f6c
*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\mshta.exe > 949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe > a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
*** excubits.com beta demo ***: C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json > 3b297528c89b3ca2574a28dbd773d5140e51a81d95844dcdd109ba493ecc9f6c
*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\mshta.exe > 949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe > a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
*** excubits.com beta demo ***: C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json > 3b297528c89b3ca2574a28dbd773d5140e51a81d95844dcdd109ba493ecc9f6c
*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\SysWOW64\mshta.exe > 949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
*** excubits.com beta demo ***: C:\Windows\System32\svchost.exe > C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe > a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
*** excubits.com beta demo ***: C:\Windows\System32\wbem\WmiPrvSE.exe > C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json > 3b297528c89b3ca2574a28dbd773d5140e51a81d95844dcdd109ba493ecc9f6c

 

@Cutting_Edgetech You could add multiple rules to your parent whitelist section to fix that:

Code:

[PARENTWHITELIST]
C:\Windows\System32\*>C:\Windows\*
C:\Windows\System32\*>C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*

Or one larger rule to cover it all but would be less defined:

Code:

[PARENTWHITELIST]
C:\Windows\*>*

Then restart the Bouncer driver and you will be good to go. That will cover those recent logs related to parent whitelist. If you have any other logs that come up or any questions, please feel free to ask anytime. I am finally starting to get used to parent checking and enjoying it much more now.

 

Hi, @Cutting_Edgetech .
I hope to know why AppGuard would prevent Bouncer from writing to registry.
As far as I know, AppGuard only prevents "guarded" applications from writing to registry.
For an arbitrary application "X", I think it will be "guarded" by AppGuard in either of the two following scenarios:

• AppGuard runs in the Medium mode. X has a trusted digital sign and is launched in the user space.
• AppGuard runs in either Medium mode or Lockdown mode. X is launched in the system space and is manually added to the "Guarded Application" list.

For the first scenario, I do not think that you installed Bouncer in the user space. I do not think that Bouncer will drop executable files into the user space, either.
So maybe we only need to consider the second scenario.
Have you ever manually added something of Bouncer into the Guarded Application list?
Please correct me if I misunderstand your problem.

 

No, I have never added anything from Bouncer to the Guarded Apps list. I'm currently not even using the Bouncer Admin Tool. I only have the driver installed. I think it must be a bug with AG considering AG is only suppose to block Guarded Applications from writing to certain registry keys. I'm glad you brought that to my attention. It actually slipped my mind. I will report it to the developers of AG the next time it occurs.

 

I'm already using C:\Windows\*>* in my [PARENTWHITELIST]. Your second rules gives System32 access to the AppData Folder, and vise versus. I would like to avoid that rule for security concerns. I can try making the rule more specific to the blocked entries, and see if that resolves the problem. I just wonder why the system resource WmiPrvSE.exe needs access to WOT. Thank your for you help!

Edited 10/27 @ 2:53 pm

 

I just looked at my Bouncer Log again, and I see svchost.exe from System32 folder also wants access to C:\Users\achilles\AppData\Roaming\Mozilla\Firefox\Profiles\2kofkxxe.default\WOT\storage.json. I think the attempted access could be kind of sketchy behavior. I could ask the developers of WOT if their plugin requires this access.

 

Yes. When I originally ran the script my hash file was much larger. After running hashfix the number of hashes was reduced dramatically. I'm not just hashing my system drive but my main data drive as well.

 

Does anyone know which is the last version of Bouncer that supports Win XP?

Now I have 4 different installers, each of which has a digital sign with distinct date, including:

• May 31, 2015
• October 5, 2015
• October 18, 2015
• October 31, 2015

I hope to know which one of them is the last version that supports XP.

By the way, I hope users who have purchased the paid version could suggest the developer to put a version number in the "Details" tab of the file information such that we can check it. Thanks.

 

Those two builds were before the addition of SHA256 and parent checking. Therefore, those two would still support XP.

Those two builds contain SHA256 and parent checking and that is where support for XP had dropped for the time being.

I agree with you 100%. I think that version number needs to be more apparent in the Details tab but also I think that the download page should also show some version information, release info, old link for XP users, last date when a new build was added, etc. I know that the developer has had his hands full lately and has overcome many hurdles and yet produced some excellent kernel software, there definitely needs to be more information relating to different versions because even I am getting lost with some of it over time. I will bring this up with the developer soon as well because I do think that it is very important for users.

 

Many thanks @WildByDesign .

 

I would like to ask how Bouncer is in relation to other programs of anti-exe
AppGuard, Voodooshield?
whether it is worthy of interest?

 

Bouncer is a hybrid of policy based AE's, and whitelisting AE's. Pure Whitelisting AE's block, or allow executables to launch (usually only .exe's). They don't restrict what an executable is allowed to do if allowed to launch. Bouncer can limit what an application is permitted to do if allowed to launch by using it's Parent Check, and Parent Whitelist feature. The user can define rules in Bouncer that limits an application from launching cmd.exe, rundll32.exe, powershell.exe, etc. Bouncer also supports whitelisting, and blacklisting by SHA-256 hash. Bouncer can block any executable instead of being limited to .exe's... Bouncer can also blacklist them from launching at all regardless of the parent process. Bouncer is only as limited as the experience of the user writing the rules in most regards. In my opinion Bouncer is more suited for Upper Intermediate Users, and above. I think Bouncer offers a very high level of protection, and will work for anyone able to write the rules required for Bouncer to work properly. Bouncer comes with some default rules that will allow Critical System Components to run, and applications to run from Program Files. Bouncer runs in non lethal mode until the user switches to lethal mode. Non lethal mode only logs events that would be blocked in lethal mode so the user can check the log to see what rules they need to write to prevent good applications from being blocked. The best thing to do to get an ideal of how to write the rules is to look at other user's rule. Other users have shared parts of their policy file in this thread.

Edited 11/1 @ 2:29

 

I discovered that Bouncer prevents Type Accents from attempting outbound internet access by blocking Type Accents access to csc.exe. Type Accent's is one of those applications that constantly want's to phone home. I had it blocked in my firewall. Bouncer blocked it from even attempting outbound access. I discovered this when trying Emsisoft's Internet Security. I had not created a firewall rule yet for Type Accents so I was wondering why EIS had not prompted me for Type Accents attempting outbound internet access. It turns out that Bouncer blocked Type Accents from even attempting outbound access.

C:\Program Files (x86)\Type Accents\TypeAccents.exe > C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

 

I'm not familiar with Type Accents. But what did come to my mind was that I remembered *csc.exe from one of the shared blacklists. There were 4 or 5 programs that had to do with .NET execution and that was one of them. I assume that Florian recommends that as a regular lockdown blacklist since many of those could be used maliciously. However, if any of those programs are required by any program that you use in particular such as Type Accents, you could remove *csc.exe from your blacklist if it is there so that it does not cause problems for your use. Check your regular blacklist section first and see if you are using that shared one from a while back. Or it could be a parent whitelist rule needing to be added.

Code:

[BLACKLIST]
*iexplore.exe
*powershell*.exe
*regedit.exe
*script.exe
*vbc.exe
*jsc.exe
*ilasm.exe
*csc.exe
*bitsadmin.exe
*hh.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*bcdedit.exe

This is the shared blacklist that I was thinking of that Florian had blogged about before.

 

Type Accents is an application that allows typing in multiple languages. I have csc.exe on my blacklist, but I don't mind Bouncer blocking it. It has not caused any problems in functionality for Type Accents that i'm aware of. It has only prevented Type Accents from attempting outbound internet access which I like. I have been blocking Type Accents from outbound internet access anyway.

 

https://www.wilderssecurity.com/threads/malware-defender-setup-tips.226940/

Malware Defender's interface is really simple and effective. The developer of bouncer could take a look at "Malware Defender".

 

Bouncer developer Florian just did an interesting blog (https://excubits.com/content/en/news.html) which is based upon a presentation from Information Security Analyst Casey Smith (https://github.com/subTee/ShmooCon-2015/raw/master/ShmooCon-2015-Simple-WLEvasion.pdf) regarding methods to bypass Application Whitelisting by using built-in .NET executables. Both are interesting to read. Florian's blog goes on to show some methods to mitigate against these evasion methods.

Some additional info here as well: https://github.com/subTee/ShmooCon-...h-SimpleWindowsApplicationWhitelistingEvasion
But the Github text does not seem to word wrap so for that info, you might to need copy the text into Notepad or Notepad++ to read better.

 

I've just added:

Code:

*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe

to my blacklist after reading the blog post. Thanks @WildByDesign.

I rehashed my entire system today after installing some Windows Updates. And with TH2 coming out next week for Win10 I guess I'll be doing it again soon!

 

Thanks for that heads up on the .Net potential. Kudos to Florian for tacking it down everywhere it can be found.

 

Cool, I didn't even know about this blog, it's interesting indeed. BTW, what about the app that blocks code injection, is it already available, or will it be added to Bouncer?

 

@Rasheed187 The developer has a beta version of that MemProtect driver available on the Beta Camp page (https://excubits.com/content/en/products_beta.html) which I assume is what is being referred to. That driver takes advantage of Windows built-in Protected Processes feature within the kernel which is often used to protect built-in Windows components, but I believe that antivirus companies also utilize this protection for their drivers as well. So this MemProtect driver essentially just allows you to extend that Protected Processes functionality to give memory protection to any programs that you want, from any directories that you want, portable apps being one example. Also on the Beta Camp page is the MZWriteScanner driver which basically blocks executables from being written in the first place in whichever directories you choose.

Actually, I do believe that developer intends on adding the MemProtect feature/functionality into Bouncer. Bit by bit as these individual drivers prove themselves, they will be added into the main Bouncer driver. However, I believe that the current plan is to add the CommandLineScanner (https://excubits.com/content/en/products_commandlinescanner.html) functionality into Bouncer next which gives full granular control over interpreters. After that, MemProtect may follow. The thing that I like about is that the user can enable/disable individual features, since some of these hardcore features would not be needed by most users. A lot of them are more for forensics use and such. I believe that is what US CERT is using the individual drivers for right now as well, education and forensics.